OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Resources

Hello all,

I just wanted to post some thoughts so we have some things to think about before the next meeting.

For risk ranking, we have all seen the common words: low, minor, moderate, medium, high, severe, serious, and critical. Don't forget my favorite--Microsoft's "Important".
These words are often used in the context of "Severity" or "Priority".

Some like CERT use a number instead:
http://www.kb.cert.org/vuls/html/fieldhelp#metric

Others might skip this ranking scheme because of difficulty and/or confusion. They choose to use words like "remote", "local", or a few words explaining the impact of the vulnerability such as, "Allows users to..."

A good thing to do is to browse security portals such as Bugtraq to get an idea of what methods people are using.

For vulnerability classification, the terms used are a bit more stable such as "Input validation error (Buffer overflow)" but others need more consistency.

Vulnerability classification links:
http://icat.nist.gov/icat_documentation.htm
http://www.securityfocus.com/bid/7230/help/

I think this TC is a good step towards cleaning up the mess of vulnerability info.

I have links to related standards on my website for those interested:
http://www.opensec.org/resources.html

With ANML (http://www.opensec.org/anml/), I am working on the advisory itself and plan on having an assessment element with a type attribute such as:
<assess type="vulnxml">
<assess type="oval">
<assess type="avdl">

For those not familiar with OVAL (http://oval.mitre.org/), the Open Vulnerability Assessment Language uses SQL for assessment logic but recently announced an XML version which I am helping with. OVAL differs in that it checks system characteristics and configuration attributes (e.g. file version is... or registry key exists) whereas AVDL and VulnXML work more intimately with the application to check the presence of vulnerabilities (e.g. sending HTTP requests, examining responses, sessions). I don't want to open a debate because they are different approaches and both are useful.

I have a question:
AVDL and VulnXML both have some kind of vulnerability testing scheme. Does WAS plan on using AVDL for testing and solely focus on ranking and classification?

Thanks,
Nasseam Elkarra
nelkarra@opensec.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]